Acceptable Use Policy

Download as pdf or txt
Download as pdf or txt
You are on page 1of 7

Table of Contents

Why Is an Acceptable Use Policy Important? ..................................................................... 2


Preventing Cybersecurity Threats ............................................................................................... 2
Ensure Users are Avoiding Illegal Activity ................................................................................... 2
Focus on Productivity ................................................................................................................. 2
Acceptable Internet Use ............................................................................................................. 2
Cybersecurity ............................................................................................................................. 3
Private Information .................................................................................................................... 3
Guest Users ................................................................................................................................ 4
How Employers Can Better Enforce Their Acceptable Use Policies ...................................... 4
Make Your Policies Known ......................................................................................................... 4
Create a Plan for Correcting Issues.............................................................................................. 4
Use Straightforward Language and Formatting ........................................................................... 4
Test Your Employees' Knowledge ............................................................................................... 5
AN ACCEPTABLE USE POLICY OR AUP IS AN INTEGRAL PART OF YOUR INFORMATION
SECURITY POLICY. .............................................................................................................. 5
Why Is an Acceptable Use Policy Important?
If your business provides internet access, then you need an AUP for these reasons:

Preventing Cybersecurity Threats

Businesses and institutions want to have some sort of control over what activity takes
place on their networks. Limiting what users can browse, download, and search on the
internet is all a part of keeping a safe network. If an employee were to open a
suspicious attachment or visit unsecured websites, they could make your network
vulnerable to hackers and viruses. User Productivity Monitoring Tools for creating a
safe environment and with detailed governance.

Ensure Users are Avoiding Illegal Activity

An AUP can help ensure users are following the law. For instance, an AUP may strictly
prohibit users from pirating music, movies, or other files. It may outline that if a user is
violating these rules, they will be banned from the network. Having users break the
law on your network can become a liability for your business, which is why outlining
these prohibited activities in your AUP is so essential.

Focus on Productivity

Businesses can use it to ensure their employees are working on their tasks rather than
browsing social media or tending to personal communications. Use Employee
Productivity Monitoring Tools for ensuring the safe usage parameters inside the
Organization.

Acceptable Internet Use

Employers should have an internet use policy to ensure their employees are staying
on task during working hours. The level of freedom your team gets should depend on
the type of work they do. For instance, creative teams may need a larger scope of
access to be able to check out social media trends and pop culture. Other teams may
need access to the news or local reports to do their job right.

When deciding what's allowed, remember that your employees want to be treated like
adults. An overly restrictive AUP may hinder their work and make them feel that you
can't trust them. Many businesses choose to restrict the following type of websites:

• Social media
• Streaming
• Shopping
• News
• Personal email/communications
• Pornography
• Gambling
• Illegal activity

Cybersecurity

Protecting sensitive information is at the heart of most AUPs. It's crucial that you
outline which at-risk behaviours employees should avoid when using your network. A
data breach could cost your business and employees a lot of time and money, so use
your AUP to outline these common security policies:

• Keep all passwords private, and change them regularly


• Do not use public Wi-Fi on company devices
• Never open email attachments or links that you are not expecting. When
something appears suspicious, contact the IT department
• Sign up for two-factor authentication
• Social media is only allowed for business purposes

Private Information

Employees need to be able to send confidential information to one another securely.


In your AUP, outline how employees can safely send, view, and store company data.
If there happens to be a data breach, an AUP can also tell employees how to handle
such a situation. Outline how to report an incident, who to report it to, and any other
important protocols for when an employee is experiencing a network issue.

Guest Users

Many businesses have a separate network for their guests. When a guest logs on,
they usually have to sign an AUP. In this document, it's wise to make your policies
even stricter for those who are not employees. Make sure guests cannot access
internal files or information.

How Employers Can Better Enforce Their Acceptable Use Policies


It's one thing to get users to agree to your terms and conditions, and it's another to
make sure they are actually following them. Use these tips to get your employees to
respect and adhere to your AUP:

Make Your Policies Known

More often than not, users skim over an AUP without actually absorbing what is
included in the agreement. That's why you should also include the terms of your AUP
in your employee handbook. Along with this, you should also make the policies
common knowledge for all employees. You could do this during the onboarding
process or have an annual review of your AUP.

Create a Plan for Correcting Issues

When employees know there are actual consequences for violating your AUP, they
are more likely to follow your parameters. Have a clear policy on what management
will do if an employee is caught misusing the network. If you do learn that a user is
breaking the terms of your AUP, you need to enact these consequences consistently.
If you give people a free pass all of the time, employees are unlikely to take your AUP
seriously.

Use Straightforward Language and Formatting


Rather than using confusing legal jargon, write your AUP in terms that employees can
understand. A third party organization can be included who has the skills to help you
create an easy-to-comprehend document that still covers all of your bases. Along with
the actual wording, also make sure it's in a legible format. Make different sections per
topic. Bullet points and short phrases are much easier to read through than long
paragraphs.

Test Your Employees' Knowledge


After employees read through the policy, test their knowledge of the document. Letting
them know they will have to take a short quiz ahead of time will motivate them to
understand the entire AUP. Be willing to explain any part of the AUP so your
employees can feel confident about the information in there.

AN ACCEPTABLE USE POLICY OR AUP IS AN INTEGRAL PART OF YOUR


INFORMATION SECURITY POLICY.

An Acceptable Use Policy is also one of the few documents that can physically show
“due diligence” with regards to the security of your network and the protection of
sensitive information and client data in the event of a breach or regulatory audit.

Sometimes referred to as an Internet and E-mail Policy or Acceptable IT Use policy.


An AUP serves many of the same functions as the long winded Terms of Service that
you see when signing up for a new service. Despite the difference in terms, these
policies provide statements as to what behaviour is acceptable from users that work
in or are connected to a network.

The findings of the recently released SANS Institute 2016 Threat Landscape Study
and fourth annual Checkpoint Security Report may help to provide some additional
perspective on why an Acceptable Use Policy is imperative for your organization. The
study reveals a 400 percent increase in the loss of business data records over the past
3 years. The most common entry point for threats into a network? End user actions.
The arguments between productivity, protection and privacy can make mobile device
security a difficult topic to address. Users are now more comfortable blurring the lines
between personal and work when it comes to personal mobile devices, not always
thinking about the implications. Most employees do not want to be the cause of a
network breach or data loss, yet one in five will do so either through malware or
malicious WiFi. All it takes is one infection on one device to impact both corporate
and personal data and networks.

We have spoken to clients and prospective clients that respond to our question about
having an Acceptable Use Policy with a quizzical look and even indifference.
Depending on the type of data that passes or is stored on your network, and who/what
has access to your network – apathy is a recipe for disaster. Counting on an end user
alone to “do the right thing” is not a viable security strategy.

Creating an effective AUP begins by collaborating with personnel from human


resources, finance, legal, IT, and security. The questions below can provide a good
starting point when creating your policy:

When is it OK to send information outside the enterprise via e-mail, blogs and message
boards, media sharing and instant messages - When is it not?

What types of information is prohibited in the e-mail system? Personally Identifiable


Information? Payment data? Internal memos? Customer data?

What procedures will be necessary to discourage risky behaviour and enforce


established policies? Who will be in charge of enforcing them?

As you create your AUP be sure to:

Have an understanding of what records and data are vital to the survival of your
organization and the internal and external forces that can affect them.

Create policies that consider business assets, processes and employee access to files
and data.
Address employee-generated content, communication channels and connected
devices.

Evaluate security measures (physical and network-related) and potential solutions.

Monitor and enforce policy via security technology and human oversight.

Train employees to recognize risks and refrain from insecure behaviours.

A signed copy of the policy should be included in each employee file, backed up with
your vital records and included in your business continuity plan.

You might also like